• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 
Blog

Cyber Breach at the Ontario Cannabis Store Impacts 4,500 Consumers

November 07, 2018

Written by Ruth Promislow and Katherine Rusk

The Toronto Sun reported this morning that the privacy of 4,500 consumers of recreational cannabis in Ontario has been compromised. The names and addresses of individuals purchasing cannabis through the Ontario Cannabis Store (OCS) website, and the names of the individuals who signed for the package delivery, was accessed by an unidentified individual through the Canada Post online tracking tool in late October or early November.

The OCS has notified the impacted consumers and has reported the breach to the Office of the Privacy Commissioner. Canada Post has announced that it has fixed the loophole and further unauthorized access has been prevented. During the ramp up to legalization and over the past few weeks, the OCS has consistently prioritized the privacy of its consumers. For example, its privacy policy reveals a focus on shipping, stating that "when we ship orders, we deliver in discreet, plain packaging, so the nature of your purchase is not revealed." Privacy has been noted as a major concern for many consumers of cannabis.

But even the most prepared corporation can be at risk when a third-party service provider is breached. Understanding the risk of a cyberattack on your third-party service providers is an integral part of any business arrangement.

Consumers of recreational cannabis in Ontario who are worried about their privacy do not have an alternative legal purchase option at the moment as they are required to purchase from the OCS's website and Canada Post is the only shipping provider.

Addresses and names of consumers are generally considered to be "personal information" under Canada's federal privacy Act, PIPEDA. The OCS breach highlights the risk of attacks and cybersecurity incidents occurring through third-party service providers. While some of the tasks surrounding consumer privacy can be contracted out, the ultimate responsibility for maintaining consumer privacy cannot be delegated.

Third-party vendors are a critical factor in cybersecurity. If you are an organization that engages third-party service providers to assist with processing personal information, you should protect yourself by ensuring that you have a recorded basis for selecting the third-party vendor. This should also ensure that you know the third party has the appropriate safeguards in place. Contractual provisions with third parties should identify items such as:

  • its obligation to safeguard the personal information;
  • its obligation to notify you about security incidents;
  • your ability to oversee and potentially audit its operations as it concerns the personal information it processes on your behalf;
  • who bears the burden of the costs associated with a data security incident; and
  • any requirement that it procure cybersecurity insurance to cover the costs associated with a breach.

The Bennett Jones Cybersecurity group can help review your cybersecurity and privacy preparations to ensure that your organization is ready for when a breach occurs.

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Read the New Energy Economy Series

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

The Rise of ESG Bonds in Corporate Financing

March 02, 2021
       

Blog

Another Reminder of the Low Bar for Class Action Certification [...]

March 01, 2021
       

Blog

Are Gun Manufacturers Liable for Mass Shootings?

March 01, 2021
       

Blog

Evidence of Harm Required To Advance Class Action Following Data Breach

February 24, 2021
       

Blog

Site Rehabilitation Program Periods 5 and 6 Further Expand Program Scope

February 22, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021. All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones